Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

Home Depot Breach Expands, Privilege Escalation Flaw to Blame

NEWS ANALYSIS: A compromise of a third-party vendor's access credentials that led to 53 million user email addresses being stolen was just the first step of the Home Depot attack. Other retailers would do well to learn from this attack.

WEBINAR:On-Demand

Home Depot revealed new information on Nov. 6 about its data breach that it first officially confirmed in September. Home Depot initially reported that the breach, which lasted from April to September of this year, impacted 56 million credit card holders. The scope of the breach has now been expanded to include 53 million user emails. Home Depot has not publicly disclosed how many of the breached emails overlap with the credit card account users.

For those 53 million accounts, the attackers only stole the email addresses, and Home Depot has stated that no additional payment card, passwords or personal information was stolen.

The new secondary disclosure that email information was stolen in addition to payment card information follows the same pattern that the Target breach took. Target initially disclosed in December 2013 that 40 million payment cards were stolen in its data breach. In January, Target increased that number and revealed that the personal information of 70 million customers was taken.

Home Depot is providing some insight into how the attacker was able to get inside its network. A third-party vendor's username and password were somehow compromised, giving the attacker access to the network.

Further reading

The attacker having third-party access, however, is not the end of the story. Home Depot revealed that the third-party credentials enabled the attacker to get into its network perimeter and from there had to exploit another vulnerability in order to do damage.

"These stolen credentials alone did not provide direct access to the company's point-of-sale devices," Home Depot stated in a press release. "The hackers then acquired elevated rights that allowed them to navigate portions of Home Depot's network and to deploy unique, custom built malware on its self check out systems in the U.S. and Canada."

That's the real root cause, in my view—a privilege escalation flaw. Getting into the network itself is interesting, but without the right privileges, which the third-party vendor did not have, the attacker could not do any damage.

We don't not know the specifics of the privilege escalation flaw used, though there are myriad techniques that hackers can use. Among the different techniques that an attacker can deploy on Windows systems, for example, to advance privileges is the NTLM (Windows NT LAN Manager) Pass-the Hash attack, in which credential access can be elevated. There are other types of privilege escalation attacks that work on Linux and Unix systems as well. The bottom line though is that a proper change management system and access policy management system might have noticed the privilege escalation. Apparently in the Home Depot incident, the privilege escalation flaw was not detected when it initially occurred.

Home Depot has also reiterated that the malware that was deployed by the attackers, once they had executed their privilege escalation attack, was malware that had previously been unknown. That means it was not the Backoff malware that has impacted 1,000 retailers.

What the new Home Depot breach details clearly show is that the breach was a multistage attack that wasn't just about any one failure but rather several defensive inadequacies. Third-party access was breached by an attacker, so that's one point of failure. The privilege escalation issue is the second. The undetected malware itself is the third point of failure. Finally, the fact that the data was taken out from the network without detection is the icing on the cake.

All of this breach activity comes with a cost that Home Depot will need to pay. At this point those costs are unknown.

"The company is not able to estimate the costs, or a range of costs, related to the breach," Home Depot stated.

As the holiday shopping season is almost here, other retailers would do well to learn quickly from the lessons of Home Depot and other breaches to protect themselves and their customers.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

By submitting your information, you agree that eweek.com may send you eWEEK offers via email, phone and text message, as well as email offers about other products and services that eWEEK believes may be of interest to you. eWEEK will process your information in accordance with the Quinstreet Privacy Policy.

We ran into a problem

We already have your email address on file. Please use the "Forgot your password?" link to create a password, validate your email and login.